Below is a demo code, if you run it for multiple times you can randomly see core dump. I studied it a little bit and I believe replaceNode($bar) in this cases destroys $bar's underlying xml node, so when $bar is destroyed (I have an explicit undef here. In our real code it happens when Perl recycles that variable) there is a double-free. Not sure if it's something wrong with the ref count management in the XS layer or not.. My Perl version is 5.26.3, XML::LibXML version 2.0206, libxml2 2.9.10.
#!/usr/bin/env perl
use 5.012;
use warnings;
use XML::LibXML;
my $dom;
my $foo;
sub setup {
$dom = XML::LibXML::Document->new;
my $root = $dom->createElement('root');
$dom->setDocumentElement($root);
$foo = XML::LibXML::Element->new('foo');
$root->appendChild($foo);
}
setup();
my $bar = XML::LibXML::Element->new('bar');
$foo->replaceNode($bar);
undef $bar;
Below is a demo code, if you run it for multiple times you can randomly see core dump. I studied it a little bit and I believe replaceNode($bar) in this cases destroys $bar's underlying xml node, so when $bar is destroyed (I have an explicit undef here. In our real code it happens when Perl recycles that variable) there is a double-free. Not sure if it's something wrong with the ref count management in the XS layer or not.. My Perl version is 5.26.3, XML::LibXML version 2.0206, libxml2 2.9.10.